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Abstract. The Bivariate Function Hard Problem (BFHP) has been in 
existence implicitly in almost all number theoretic based cryptosystems. 
This work defines the BFHP in a more general setting and produces an 
efficient asymmetric cryptosystem. The cryptosystem has a complexity 
order of 0(n 2 ) for both encryption and decryption. 

1 Introduction 

In Section 2 of this work, we define the Bivariate Function Hard Problem (BFHP) 
and illustrate its existence within the RSA hard problem. We then proceed to 
produce an asymmetric cryptosystem in Section 3 that thoroughly utilizes the 
BFHP concept. In Section 4 we produce a table of comparison between known 
asymmetric algorithms and the algorithm introduced in this work. We conclude 
in Section 5. 

2 Bivariate Function Hard Problem 

The following proposition gives a proper an analytical description of the "Bi- 
variate Function Hard Problem" (BFHP). 

Proposition 1. Let F(xi, x 2 , ...,x n ) be a multivariate one-way function that 
maps F : Z™ — > Zi n _j 2 n—iy Let F\ and F 2 be such functions (either identical 
or non-identical) such that A\ = F\{x\, x n ), A 2 = F 2 (yi,y2, •••,2/n) an d 

gcd(Ai, A2) = 1. Let u,v G Zi^.j 2 m_]v Let 

G(u,v) = A x u + A 2 v (1) 

// at minimum m — n — 1 = 129, it is infeasible to determine (it, v) from G(u, v). 
Furthermore, (it, v) is unique for G(it, v) with high probability. 

Remark 1. Before we proceed with the proof, we remark here that the diophan- 
tine equation given by G(w, v) is solved when the parameters (it, v) are found. 
That is, the BFHP is solved when the parameters (u, v) are found. 



Proof. We begin by proving that (u,v) is unique for each G(u,v) with high 
probability. Assume there exists u\ ^ u 2 and v\ ^ v 2 such that 



Aiui + A 2 v 1 = A x u 2 + A 2 v 2 (2) 

We will then have 

v A 1 (ui-u 2 ) 
Y = vi - v 2 = 



A 2 

Since gcd(Ai,A 2 ) = 1 and A 2 2™, then the probability that Y is an integer is 

Next we proceed to prove that to solve the diophantine equation given by G(u, v) 
is infeasible to be solved. The general solution for G{u,v) is given by 

u = u + A 2 t (3) 

and 

v = v - Ait (4) 

for some integer t. To find u within the stipulated interval (u € (2 m_1 , 2 m — 1)) 
we have to find the integer t such that 2 m_1 < u < 2 m — 1. This gives 

2" 1 - 1 -u t 2 m - 1 - u 
A 2 A 2 

Then the difference between the upper and the lower bound is 



2™ 



2 m ~ n ~ 2 



Since m — n — 1 = 129, then m — n — 2 = 128. Hence the difference is very large 
and finding the correct t is infeasible. This is also the same scenario for vM 

Remark 2. It has to be noted that the BFHP in the form we have described has 
to be coupled with other mathematical considerations upon Fi 1 F 2 ,u 1 v to yield 
practical cryptographic constructions. 

Definition 1. Let the tuple (M } e,d 7 p,q) be strong RSA parameters. Let N = 
pq,ed = \{mod (f>{N)) and <j)(N) = (p - l)(q - 1). From C = M e (mod N) we 
rewrite as 

C(M,j) = M e -Nj (5) 

where j is the number of times M e is reduced by N until C(M,j) is obtained. 
The problem of determining (M, j) from equation (5) is the RSA BFHP. The 
pair (M,j) is unique with high probability for each C(M, j). 

Remark 3. With little effort, one can also produce a BFHP for the discrete log 
problem (DLP). Analysis could also be done within the framework given for the 
RSA-BFHP. 



The following 3 analytical results gives a clear picture regarding the RSA-BFHP. 
All result re-affirms the "infeasibility" of trying solve the RSA problem. We also 
produce a corollary that may shed some light regarding the RSA problem and 
integer factorization. 

Lemma 1. The RSA BFHP is infeasible to be solved. 
Proof. Let X = M e . From 

C(X,j) = X-Nj (6) 



the general solution is 
and 



X = Xq - Nt 



i = jo + 1 



for some t G Z. It is easy to deduce that the correct t belongs in the interval 
( 2 fc(e-i)-i )2 fc(e-i) _ 1). Current RSA deployment has k = 1024. Hence, to solve 
the RSA BFHP is infeasible.B 

Lemma 2. RSA problem = p RSA BFHP 

Proof. From C = M e (mod N) if the RSA problem is solved then M is found. 
Hence, j = is also found. Thus, the RSA BFHP is solved. 

From C(X,j) = X - Nj, if the RSA BFHP is solved means that (M,j) is 
found. Thus, the RSA problem is solved. ■ 

Corollary 1. Solving RSA BFHP does not imply successful factoring of N = 
pq. 

Proof. From Remark 1, if RSA BFHP is solved then (M,j) is found. That is, 

M= </C + Nj 

and 

. _M e -C 
3 ~ N ' 

It is obvious that the factoring of N was not obtained. ■ 



3 A new asymmetric cryptosystem based on the BFHP 
3.1 Common values 

This scheme is to facilitate secure communication asymmetrically between 2 par- 
ties namely A (Along) and B (Busu). For both of them there will 2 sets of public 
parameters determined prc-communication and a common n-bit prime number. 
The party that initiates the communication will utilize the set G\ = (.91,52) 



while the other party will utilize the set G 2 — (33,34)- These public parameters 
are co-prime to each other and belong in the interval (2" _1 , 2™ — 1). In fact both 
parties will have keys generated by both sets for the eventuality of either initiat- 
ing communication or accepting incoming information. In this work we assume 
Along is initiating while Busu is accepting secure information. 

• Key Generation by Along -sender 

INPUT: The public prime number p, the public sets G\ and G 2 . 
OUTPUT: A public key for sending information e^, an ephemeral private 
key cIa for generating and a secret pair (ai,a 2 ). 

1. Generate a random private key cIa within the interval (2 n , 2" — 1). 

2. Compute &i = gidA^nod p). 

3. Compute d 2 = 32^4 (mod p). 

4. Generate two random and distinct n-bit ephemeral keys Uai and Ua2- 

5. Compute the secret integers a>i = d\ + kAiP and a 2 — d 2 + kA 2 p- Both a\ 
and a 2 belong in the interval (2 2n_1 , 2 2 " — 1). 

6. Let eA — 3301 + 340:2- 

• Key Generation by Busu -recipient 

INPUT: The public prime number p, the public sets G\ and G 2 . 
OUTPUT: A public key for receiving information es, an ephemeral private 
key <1b for generating e_e and a secret pair ((3i,(3 2 ). 

1. Generate a random private key ds within the interval (2 n_1 , 2™ — 1). 

2. Compute j3\ = g^ds (mod p). 

3. Compute f3 2 = g^ds (mod p). 

4. Generate two random and distinct n-bit ephemeral keys ksi and ks2- 

5. Compute the secret integers /3i = fii + ksiP and (3 2 = (i 2 + ksiP- Both (3\ 
and f3 2 belong in the interval (2 2 "-\ 2 2 " - 1). 

6. Let e B = 3i/?i +32^2- 

• Encryption by Along 

INPUT: The public key tuple (e^es), and the message M which is n-bits 
long and less than p. 

OUTPUT: The ciphertcxt C. 

1. Upon informing Busu of the intention to send secure data, Along receives 
Busu's public key es- 

2. Along then generates cab = dA&B = (mod p). 

3. Along then generates the ciphertext C\ = (M + eAB)(mod p). 



4. Next, Along produces sk = H(cab) where H is a collision resistant hash 
function. 

5. Along will then utilize a symmetric algorithm Enc, to produce C2 = Enc s k(M). 

6. Along will relay (Ci, C 2 , e A ) to Busu. 

• Decryption by Busu 

INPUT: The private key d B and the tuple {C 1 ,C 2 ,e A )- 
OUTPUT: The message M. 

1. Upon receiving ciphertext Busu computes cba = ds e A (mod p). 

2. Busu then computes M'=(Ci — es^^mod p). 

3. Busu then produces sk = H{eB A ) 

4. Busu then decrypts C2 with its corresponding symmetric decryption algo- 
rithm Dec to produce M = Dec^C-i). 

5. If My M then abort. 

6. Else output M' which is the message. 

Proposition 2. From the above mentioned algorithm cab — &ba- 

Proof. e A B = d A e B = (c?i/3i +a 2 /3 2 ) = (Ac?i +^2^2) = d B e / i(mod p) = e B A-* 

Proposition 3. The encryption process as mentioned above is IND-CCA2 se- 
cure. 

Proof. This is a sketch. Any change to C\ would result in the decrypted value 
from C\ which is M' which would differ from M — Dec s k(C2) with high proba- 
bility. Hence, abort. ■ 

Lemma 3. The problem of determining the secret parameters either from e A or 
e B is a BFHP. 

Proof. It is obvious that with high probability (w - since each gi are co- 
prime to each other) that the secret parameters in either e A or es are unique. 
Also, the difference between the secret and public parameters are n-bits, one can 
set n = 128. ■ 

4 Table of Comparison 

Let \E\ denote public key size. Let \M\ denote the message size. For RSA and 
ECC we utilize its parameters within its IND-CCA2 design. In determining the 
ciphertext size \C\ we also included the public keys to be transmitted (where 
applicable). Complexity time is taken in base case scenario deployed via the 
Fast Fourier Transform (FFT). 



Algorithm 


Encryption 
Speed 


Decryption 
Speed 


Ratio 
\M\ : \C\ 


Ratio 
|M| : \E\ 


Remark 


RSA 


0(n 2 log n) 


0(n 2 log n) 


1 : 2 


1 : 2 


2 parameter ciphertext 
of n-bits each 


ECC 


0(n 2 log n) 


0(n 2 log n) 


1 : 3 


1 : 2 


2 parameter ciphertext of n-bits each 
+ 1 n-bit public key 


NTRU 


0(n log n) 


0(n log n) 


Varies 2 


N/A 




This work 


0(n log n) 


0(n log n) 


1 : 5 


1 : 3 


2 parameter ciphertext of n-bits 
each + 1 3n-bit public key 



Table 1. Comparison table for input block of length n 



5 Conclusion 

We conclude this work by stating that an efficient asymmetric algorithm has 
been disclosed. By having complexity order of 0(n log n) for both encryption 
and decryption, it would cut f=s | of the running time of algorithms that do not 
achieve this speed. Furthermore, it achieves IND-CCA2 security. 
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